A New Web of Trust

A core element of the Internet that helps millions of computer systems locate each other is finally getting a much-needed upgrade. The domain name system (DNS) works a lot like the Internet's phone book, translating the URLs that users type into a browser into the numerical addresses used to identify the servers that host the requested site.

Recently, this 30-year-old system has begun showing its age.

Last year, a team of high-profile security researchers raced to repair a critical flaw in DNS that made it possible to hijack legitimate communications, potentially directing unsuspecting Web surfers to malicious Web pages. The patch that the team came up with reduced the immediate danger but wasn't meant to be a permanent solution.

Credit: Technology Review

For a long-term fix, many experts are now looking toDNSSEC, a protocol that verifies DNS messages with digital signatures. The Public Interest Registry, which handles the .org domain, is implementing DNSSEC across all Web addresses ending with this suffix, and it plans to complete the first phase of the process early this year. The U.S. government has committed to turning on DNSSEC for .gov as well, and the newly formedDNSSEC Industry Coalition is pushing to get the protocol adopted even more widely.

This is something of a turnaround. In the 14 years since DNSSEC was first conceived, the protocol struggled to gain widespread adoption because it was seen to unnecessarily increase the complexity of implementing DNS. The key to the DNS flaw discovered last year is that the protocol was designed during a more trusting time and does not bother to authenticate information. Dan Kaminsky, director of penetration testing at IOActive, a security company based in Seattle, realized that, if an attacker could worm his way into a DNS communication, he could redirect Web traffic in almost any way. Features have been added to DNS to reduce the threat that messages will be hijacked, but DNSSEC adds real authentication to the system for the first time.

Alexa Raad, CEO of the Public Interest Registry, notes that someone had to be the first to implement the new protocol. Before now, she says, the organizations responsible for domain names weren't moving to integrate DNSSEC because they'd either be sending out credentials to servers that weren't listening for them, or they'd be listening for credentials that wouldn't be there. Raad says that the Public Interest Registry started integrating DNSSEC well before Kaminsky's flaw was announced, hoping to encourage adoption of the protocol by setting an example. The revelations of Kaminsky's flaw simply helped intensify the debate, she says. "For the past two years, a lot of the debate around DNSSEC centered around, 'Do we need it? Are there other technologies? How viable is it?' I think the debate has completely moved away from that. We all understand that DNS is in fact broken. The only solution for that is, in fact, DNSSEC. The debate is now, 'How do we deploy?'"

DNSSEC is about creating a "chain of trust," adds Ram Mohan, CTO of Afilias, which has been working to help the Public Interest Registry handle its deployment. There are many places where DNSSEC must be switched on in order for the chain of trust to flow unbroken from the user to a website. Once a top-level domain (such as .org or .com) implements DNSSEC, any website under that domain can choose to turn on DNSSEC as well, which is an important link in the chain. Since Internet service providers such as Comcast have started supporting DNSSEC, Mohan says, it's becoming possible for some website visits to fall largely under the protection of DNSSEC.

Paul Vixie, president of the Internet Systems Consortium, which maintains BIND, the software most commonly used to process DNS messages, expects the move toward DNSSEC to snowball. "With .gov and .org signed, there's finally a market for DNSSEC technology and services," he says. "Now that some others are implementing DNSSEC, many others will want to be in the business of providing DNSSEC solutions, and that will in turn make it possible for a lot of fence-sitters to finally climb down and join us."

Kaminsky himself was initially neutral on DNSSEC as a possible solution to the flaw that he discovered with DNS. He now sees DNSSEC as a good solution, but cautions that work still needs to be done to help it scale up. Most important, he says: other root domains, which are at the core of all DNS transactions, need to use DNSSEC. Although DNS was never designed to be at the heart of authentication on the Internet, "it is, and it's time we start treating it that way," Kaminsky adds.

Mohan says that he's hopeful that more domains will implement DNSSEC soon. "It's about damn time that DNS got more secure," he says. "The integrity of DNS traffic is starting to be questioned with the advent of phishing and botnets and stuff like that. Here is a concrete thing that can be done that is proven to eliminate a clear problem."

FOREVER BRUCE LEE

About Me

Great Minds Have Similar Thoughts

Champions aren't made in gyms, champions are made from something they have deep inside them - a desire, a dream, a vision. They have to have last-minute stamina, they have to be a little faster, they have to have the skill and the will. But the will must be stronger than the skill.-Muhammad AliI'll be more enthusiastic about encouraging thinking outside the box when there's evidence of any thinking going on inside it.- Terry PratchettNot to be absolutely certain is, I think, one of the essential things in rationality.- Bertrand RussellWhat we think, or what we know, or what we believe is, in the end, of little consequence. The only consequence is what we do.Sometimes what's right isn't as important as what's profitable.- Trey Parker and Matt StoneThere are only two kinds of people who are really fascinating: people who know absolutely everything, and people who know absolutely nothing.- Oscar WildeSometimes I lie awake at night, and I ask, "Where have I gone wrong?"/ Then a voice says to me, "This is going to take more than one night."- Charles M. SchulzThere is nothing worse than aggressive stupidity.- Johann Wolfgang von GoetheThe significance of man is that he is insignificant and is aware of it.- Carl BeckerA lie can travel halfway around the world while the truth is putting on its shoes.- Mark Twain"If you know how to spend less than you get, you have the philosopher's stone." So said Benjamin Franklin more than 200 years ago. How much easier it is to be critical than to be correct.- Benjamin DisraeliOf course the game is rigged. Don't let that stop you--if you don't play, you can't win.- Robert HeinleinAbility will never catch up with the demand for it.- Malcolm ForbesNo man remains quite what he was when he recognizes himself.- Thomas MannNo man needs a vacation so much as the man who has just had one.- Elbert HubbardThere is no pleasure in having nothing to do; the fun is in having lots to do and not doing it.- Mary Wilson LittleBooks to the ceiling,/ Books to the sky,/ My pile of books is a mile high./ How I love them! How I need them!/ I'll have a long beard by the time I read them.- Arnold LobelLeif Ostling said in a statement that his comments about Germany had been "interpreted in a way that was not intended."If a man will begin with certainties, he shall end in doubts; but if he will be content to begin with doubts he shall end in certainties.- Sir Francis Bacon"It's not the voting that's democracy, it's the counting."- Tom StoppardElections are won by men and women chiefly because most people vote against somebody rather than for somebody.- Franklin P. AdamsInvention is the mother of necessity.- Thorstein VeblenDon't try to solve serious matters in the middle of the night.- Philip K. Dick